Zabel Schellenberg Attorney Owen Weaver’s Law Review Article Cited in Federal Data Breach Litigation

Zabel Schellenberg is pleased to share that a scholarly article authored by attorney Owen Weaver has been cited by a federal court in a major data-security case.

Weaver’s article, “A Missed Opportunity to Bolster Consumer Protection in Massachusetts: How Massachusetts Residents Are Still Without a Private Right of Action After the TJX Security Breach,” was published in the New England Law Review and examines gaps in Massachusetts consumer-protection law following one of the largest retail data breaches in U.S. history.

Recently, the United States District Court for the District of Montana cited the article in In re Snowflake, Inc. Data Security Breach Litigation, a multi-district case involving allegations that hackers accessed sensitive consumer information stored on Snowflake’s cloud data platform.

The litigation concerns claims brought by consumers whose personal data, including names, contact information, and partial credit-card details, was allegedly obtained after threat actors gained unauthorized access to accounts belonging to companies that used Snowflake’s cloud-based data storage services.

While analyzing the legal framework governing consumer remedies in data-breach cases, the court referenced Weaver’s law review article for its discussion of Massachusetts law and the absence of a private right of action under the state’s data-security statute.

In the article, Weaver explores the aftermath of the TJX Companies security breach and the enactment of Massachusetts General Laws Chapter 93H, which requires businesses to notify consumers when personal information has been compromised. The statute, however, does not allow individuals to directly sue for violations of its provisions, leaving many consumers to rely on other legal theories such as negligence or consumer-protection claims.

Weaver’s scholarship highlights the ongoing policy debate surrounding data-breach accountability and whether state legislatures should provide stronger enforcement mechanisms for consumers whose personal information has been exposed.

The court’s citation reflects the continued importance of legal scholarship in addressing emerging questions in data-breach and cybersecurity litigation. As courts confront complex issues surrounding consumer data protection and statutory remedies, the policy and legal questions explored in Weaver’s article remain highly relevant.